Not cut out to be a project manager?

 

http://www.projectmanagerplanet.com/leadership/article.php/3832811.

Traits that make an effective project manager

1.  Active listening for concerns that eventually lead to differentiating concerns that affect a person or a group rather than the objective of the project

2.  Communicating objectives in different ways to different audiences using different media

3.  Using humor, if possible, to diffuse tension

4.  The ability to think fast on your feet to discuss/dispute a point, without making it personal or taking it personal

5.  Detailed oriented in keeping notes, issues, schedules, scope and all the documentation paraphernalia so important to project execution and project close

 Traits that undermine a person’s ability to manage projects well

1.  Trying to be everyone’s friend on a project….you were hired or put in charge to execute a plan or achieve an objective, not to make friends and win over enemies

2.  Taking setbacks personally or looking for scapegoats on the “bumps along the road to success”; problems happen, get over it and look for solutions.

3.  Getting angry, losing your temper in public, apologizing….it is too late and demeans you as a logical, analytical problem solver

4.  There are no “favorites” in a project team…there are team members, if given the chance, probably all want to achieve and share in success equally

5.  If you cannot summarize a contentious discussion and net the salient points into a simple elevator-like explanation….you cannot succinctly communicate and get buy-in for the problem solution

Safe choices drive security policies

Working in many companies as an IT consultant allows me to see a broader spectrum of policies, business justifications and processes than many of the clients I work with, especially if they have been with their company for many years.  One of the more vexing notions that continue to surface in different forms is making decisions based on the logic of the herd concept.  Or put another way, let’s pretend we are lemmings!  Many years ago it was “No one got fired for buying from IBM” and after that “No one got fired for hiring Andersen Consulting” and there are more permutations of this phrase than time allows to list.

A recent iteration is “No one got fired for banning IM”.  There was an article in www.networkworld.com December 1, 2008 issue that covered this topic with a touch of humor and angst, written by Andreas Antonopoulos.  

Conducting business entails risk.  Does not matter what type business you participate in.  Instant Messaging (IM) and various chat capabilities available to companies internally and externally are nothing more than extensions of using a phone or sending e-mail (really fast!!).  Those forms of communications are not banned and are seen as integral communication methods.  IM is just a variation of those methods.  It is often easier for security groups within companies to just say “NO” than to develop creative methods to support the business. 

Most companies I have worked in allow users Administrative privileges for their Widows laptops.  Even though that is a really bad idea and allows everyone to load software they bring in from home, they do not trust them to conduct business over IM.   

Workers, Wages, and H-1B

H-1B visas were designed to bring into the U.S. specialists when companies cannot find an American citizen with equivalent skills.  Or they cannot find sufficient quantities of these specialized skills.  In a recent study, U.S. Citizenship & Immigration Services found that 13% of the requests for H-1B visas were fraudulent and 7% contain technical violations.  The study was based on 246 H-1B petitions. 

Critics of this entire process point out these issues and claim that these visas are used to higher  cheap labor from abroad instead of hiring Americans.  That is only partly true.

As with most government run programs, this one needs better oversight and investigative controls to be put in place.  If the H-1B employee does not have the academic credentials or experience to justify the visa, they should not receive one.  H-1B workers are supposed to be paid the prevailing wages for their positions and geographic location.  If they do not receive this wage, it is a violation of the rules. 

Balancing the issue of more visas being issued and raising the ceiling should be coupled with greater government spending on education, re-tooling displaced workers with other skills that help push down unemployment  and other government spending that sparks longer-term innovation. 

Growth, Debt and Outsourcing

Economic growth in the U.S. has averaged 2.7% over the past years.  Taking out personal consumption, the growth was 1.3% per year in 10 years ending in 2007.  That is the slowest growth rate since the 1950s.  U.S. consumers have run up about $3 trillion in excess borrowing and spending over the same period.  This does not match income growth.  This consumer debt translated into new homes, cars, furniture, and clothing and has pushed U.S. growth.  However, consumer debt is a symptom of a deeper problem.  Without this excess spending the growth would have been considerably lower.  The same applies to a lesser extent on a worldwide basis, but the U.S. still leads in the saving the least amount of money, by the actual individual consumers.  The global growth bubble was fueled by excess borrowing.

Consumer spending is declining, capital spending is declining by corporations, and everyone is girding their belt to tighten up spending.  The way out of this slow growth is for U.S. companies to pay more attention to sustaining productivity growth and innovation at home rather than resorting to outsourcing as their main source of cost savings.  Spending more money with non-U.S. companies does little to spark innovation and productivity within the U.S. 

The financial bailout, like it or not, is somewhat of a reality.  Any other monies spent by the government should be directed towards stimulating investment and innovation rather than consumer spending.  This will have a longer term positive affect.  By longer term—many years not a couple of quarters.

Greater investment of this kind will slowly raise wages.  Another $1,200 to each U.S. citizen sometime next year from the government will NOT invigorate the economy.  Adjusted for inflation, the weekly earnings of a worker with a bachelor’s degree have fallen by 6% since 2003.  Real wages have usually gone up in an economy with rising productivity, but this has not happened.  Outsourcing has oftentimes been seen as the result of productivity gains.  All that did was transfer more money out of the U.S., displace some work number of workers, and lowered the average earnings.

Sourcing’s Hidden Sore Points – India

There is nothing wrong with sourcing selective activities away from your internal staff to an external service provider.  You can use this tool to save money, focus on your core business, spend less management time on non-essential tasks, and possibly redeploy savings towards more strategic initiatives.  This does not automatically translate that you should source to a company out of India.  Danger signals coming out of India point to a bumpy road ahead that will spell trouble for U.S. companies that have automatically gone this route.

Infrastructure within India is poor and sometimes downright non-workable.

Have you ever tried to obtain a high-speed (> than a T-1) circuit from Topeka Kansas to India?  Ever examine the up-time of that circuit versus the cost?  Ever make a trip to your offshore site and had the pleasure of going through the airport in India, riding in a cab to the distant location and staying in a local hotel?  Over the past 10 years what was a dismal situation has not improved and is not likely to improve anytime soon.  Ten years from now, this entire local and technical infrastructure will likely collapse from inattention.  Growth in business has not fueled any investment by India in the basics.

Costs will Adjust.

The value of the Rupee is rising, the dollar will continue to drop or remain low over the next several years, labor costs in India, along with inflation, will continue to rise.  If there are price adjustments in existing contracts, plan on upward adjustments coming out soon. If you finished a business case recently without taking these factors into account, you have an invalid business case.

Distance and Language Does Make a Difference.

Trying to develop software with teams having a 12 hours time makes a process that already has a high failure rate very difficult.  When you examine the historical costs of projects in your company, and the number that were completed on-time, do not delude yourself into thinking things will improve once you add time differences and language accents into the mix.  This may not be a politically correct point to make, but given the fact that individual from the same company at the same location have difficulty communicating effectively, it will certainly not improve matters injecting individuals with English as a second language that are now working during their night time for you.

Conflicting Management Issues.

The Indian vendors are hard at work acquiring, hiring and expanding. In a recent interview, Wipro’s CMO said the IT services provider will add 15,000 new employees in 2007.  TCS has an even larger number.  That type of double digit staff growth is difficult to manage, while keeping the business growth up to par.  Remember the tech boom when anyone that could spell JAVA got hired?  How many of those were later to be determined low quality hires.  Throwing inexpensive warm technical bodies at a problem does not make a recipe for success in the long-term.  Saves you money initially and then you get to increase the internal QA functions and add more management oversight on the receiving end of the sourcing service.

If it is not written, it has not been said.

Working with staff so far removed from the actual business mandates a more formal approach to requirements gathering, sign-off, use cases, and incremental development steps spelled out by the Software Engineering Institute’s Capability Maturity Model (CMM).  If your organization lacks this type of discipline or experience, your business case better take into account on-going education expenses on methodology and the discipline associated with the Project Management Institute. Ad-hoc requirements spelled out over the coffee break area will no longer be acceptable.

Turnover

As with any growth industry concentrated in a small location, staff has the option of moving from organization to organization.  Staff turnover might be driven by the desire to stop working odd hours, better pay, better job or any of the other reasons people change jobs.  Turnover has been rising in India and will become a problem for any long-term support model you might be relying on.  Who gets the tasks of orienting newly acquired staff – you or the outsourcing company?

Political Stability

Pakistan and India have been at odds on a number of issues.  There is terrorism in India and some locals resent that their culture is changing, youth’s outlook on family and values are evolving, and some just do not like the U.S. Sabotage attempts have already taken place and trains have been blown up. Probably do not have to do much to some of the infrastructure as it is likely to crumble with neglect. There are problems between India’s Hindu and Muslim populations and the caste system is alive and well in India. 

Sarbanes-Oxley Act (SOX) Audit Requirements

Sarbanes-Oxley Act (SOX), passed in 2002, spells out requirements for internal controls.  Some organizations have turned to the standards published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). These do not, however, provide specific guidelines for organizations that deal with databases, a key area of concern for SOX compliance, but instead provide an excellent conceptual architecture for organizations to build a compliant IT Control framework for the enterprise.  Others are relying upon the best practices set forth by COBIT (Control Objectives for Information and related Technology) and ITIL (Information Technology Infrastructure Library). However, these frameworks are incomplete with regards to the concerns set forth under SOX relating to databases. Databases are at the center of SOX control issue. Ensuring effective controls over database activity—writes, deletes, changes, and administration—is absolutely crucial to maintaining data integrity.  Control must also extend to server and mainframe applications and unstructured data. Meeting SOX compliance centers on four areas:  audit trails, segregation of duties, change control, and patch management.  

Audit Trails

Companies need to answer who changed a record, who deleted a record, changes to a schema, with particular detailed attention to privileged users.  These audit logs are usually a normal by-product of most database and application tools.  There needs to be a process to regularly review patterns and to store the logs for at least 5 years. 

Segregation of Duties

The Information Systems Audit and Control Association (ISACA) has issued guidelines calling for IT organizations to assign clear job roles and functions, and to assign database and system permissions according to those roles and functions. Please refer to www.isaca.org and the publication titled Control Objectives for Sarbanes-Oxley 2^nd Edition for additional detail.   

Change Control

Organizations need to document changes to their technical environment and adoption of ITIL’s Change and Release Management play a crucial role in satisfying this area.

Patch Management

Applications and associated databases should be patched on a predefined schedule that takes into account the peak usage periods for these systems, while providing substantial review of the patches with adequate testing. There are some other internal controls over financial reporting (ICoFR) that relate to database auditing and include:

• Network access should be limited only to certain defined systems (via strong firewall and IP restrictions).

• Unnecessary service access should be blocked at the network access device.  This would be satisfied by “hardened” proxy servers.

• Frequent review of user accounts and passwords should regularly verify that all permissions reflect actual user roles and responsibilities.  This has given rise to a number of products associated with Identity Management (IM) and Network Access Control (NAC).

These should be performed several times a year, in alignment with HR systems and general identity management solutions.

• Financial transactions are properly recorded by authorized users
• Data has not been compromised by unauthorized or authorized means
• All changes to the financial data are monitored

Achieving these controls presents IT managers with the challenge of auditing (and maintaining an audit history) for a variety of SOX-related activity, including all:

• privileged user activity
• changes to user privileges
• failed login attempts
• logical access failures
• database schema changes
• direct data access events

Technorati

ISO 20000 Background, Audit, and Assessment (Plan-Do-Check-Act)

ISO 20000 is based upon an original pair of documents, BS15000-1/2, which were published in 2002 and 2003 respectively.  ISO 20000 is the international standard for IT Service management and is comprises two parts: ISO/IEC 20000-1 and ISO/IEC 20000-2. ISO 20000-1 is the ‘Specification for Service Management, and it is this which is certifiable against. ISO 20000-2 is the ‘ Code of practice for Service Management’, and describes best practices, and the requirements of Part 1.

ITIL is the process defined framework for IT operations.  ISO 20000-2 is the code of practice built on top of ITIL tailored processes.   ISO 20000-1 is the specification for ITSM that would facilitate the audit.  The framework had been harmonized with other international standards, to embrace the familiar PDCA (Plan-Do-Check-Act).

plan-check-do-act.pdfManaged Services illustrated in the diagram could be internal IT services or externally supplied services.  Aligning processes and procedures is accomplished in the planning and implementation phase. The methodology, known as Plan-Do-Check-Act (PDCA), can be applied to all processes, as follows:

• Plan: Establish the objectives and processes necessary to deliver results in accordance with customer requirements and the organization’s policies.
• Do: Implement the processes.
• Check: Monitor and measure processes and services against policies’ objectives and requirements and report the results;.
• Act: Take actions on the differences and continually improve process performance.

Multiple service management plans may be used in place of one large plan or program. Where this is the case, the underlying service management processes should be consistent with each other. It should also be possible to demonstrate how each process and requirement is managed by linking it to the corresponding roles, responsibilities and procedures. ISO 20000 section 4.3 (monitoring, measuring and reviewing) states that in order to identify these process areas and improve upon them, a regular audit program must be planned. Users also need to take into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods must be defined in a procedure. The selection of auditors and conduct of audits must ensure objectivity and impartiality of the audit process. Auditors must not audit their own work. Any significant areas of noncompliance or concern should be communicated to relevant parties and corrective action taken.

Scope creep

As organizations change and grow, the scope of the services provided under the ISO 20000 standard expands. However, the organization often times fails to expand their certification activities to cover any new services. This is known as an “extension to scope.” This can be addressed by following the rules set forth in section 7.2. ISO 20000 section 7.2 (business relationship) requires the service provider and customer to attend a review to discuss any changes to the scope, service-level agreement, contract (if present) or the business needs at least annually and shall hold interim meetings at agreed intervals to discuss performance, achievements, issues and action plans. These meetings shall be documented.

Not everything is recorded or measured

According to ISO 20000 section 4.3 (monitoring, measuring and reviewing), the organization must apply suitable methods for monitoring and, where applicable, measuring service management processes. These methods must demonstrate the suitability of the processes to achieve planned results. Management must then conduct reviews at planned intervals to determine whether the service management requirements:

• Conform with the service management plan and to the requirements of this standard;
• Are effectively implemented and maintained.

Additionally, under section 4.4.2 (management improvements), all suggested service improvements shall be assessed, recorded, prioritized and authorized. The service provider must have a process in place to identify, measure, report and manage improvement activities on an ongoing basis.

Technorati

Valuation of IT Initiatives – Business Case

This brief paper is based on concepts presented by www.isaca.org in their discussion of Val IT under the COBIT^© framework.  Val IT is a governance framework that consists of a set of guiding principles, and a number of processes conforming to those principles that help guide where IT spends money. If implemented correctly it will help answer the following questions.

Are we spending money in IT that matches what the business wants?

Does the business stakeholder feel they have influence on spending levels?

Are we managing risk and getting the right return on IT investment (ROI)?

Does the business “own” the risks?

Does our spending investment prove itself over the course of time and can we look back and ensure that the ROI was really met? 

A business case is not a one-time, static document.  It is an operational tool that must be continually updated to reflect the current reality and to support the portfolio management process.The framework provides guidance to: 

• Define the relationship between IT and the business with governance responsibilities,
• Manage an organization’s  portfolio of IT-enabled business investments, and
• Maximize the quality of business cases with emphasis on the definition of key financial indicators, the quantification of “soft” benefits and the comprehensive appraisal of the downside risk.

Definition of Guiding Principles

Guiding Principles are foundational concepts that will guide decision making as the company strives to achieve their future state.  Simply stated, a principle is defined as “a statement of organizational position that can be argued by rational people”.  The value of a “Principle based” Organization:

• Ensures that an organization’s position is determined by conscious decision making at the highest level.
• Aids in gaining alignment from all affected organizations and enables common goals to be achieved.
• Unproductive discussions based on unknown positions are drastically reduced.
• Projects are based on true alignment, not a set of unilateral non-validated assumptions. Several key points about principles:
  • Principles do not state what the current situation is; they state the desired positions to which an organization aspires.
  • There are clear reasons why the principle is valid for an organization

  Representative Guiding Principles

  • Investments will include the full scope of activities that are required to achieve business value.

  • Investments will include the full scope of activities that are required to achieve business value.

  • Investments will be managed through their full economic life cycle.

  • There are different categories of investments that will be evaluated and managed differently.

  • Delivery practices will define and monitor key metrics and will respond quickly to any changes or deviations.

  • Delivery practices will engage all stakeholders and assign appropriate accountability for the delivery of capabilities and the realization of business benefits.

Representative Processes

To obtain return on investment, the principles should be applied by the stakeholders of the IT-enabled investments in the following processes:

• Value governance

• Portfolio management

• Investment management

Value Governance

The goal of value governance is to optimize the value of investments by:

• Establishing the governance, monitoring and control framework

• Providing strategic direction for the investments

• Defining the investment portfolio characteristics

Portfolio Management

The goal of portfolio management is to ensure that the overall portfolio of IT-enabled investments is aligned with and contributing optimal value to the organisation’s strategic objectives by:

• Establishing and managing resources (e.g., IT, third-party, business)

• Defining investment thresholds

• Evaluating, prioritizing and selecting, deferring, or rejecting investments

• Managing through monitoring and reporting on portfolio performance

Investment Management

The goal of investment management is to ensure that a individual IT-enabled investments deliver optimal value at an affordable cost with a known and acceptable level of risk by:

• Identifying business requirements

• Developing a clear understanding of candidate investments

• Analyzing the alternatives

• Defining the components of the portfolio and documenting a detailed business case, including the benefit details 

• Assigning clear accountability and ownership

• Managing the through the full economic life cycle

• Monitoring and reporting on performance
  
  

Technorati

IT Framework Relationships

There are numerous processes designed to enhance the overall effectiveness of IT and often times what gets overlooked is how they might fit together.  Described below are the various frameworks and their relationship to one another and when you might adopt these frameworks over time.  Each of the frameworks has their set of implementation issues and problem areas for adoption.

• ITIL maps service delivery to process execution and technical aspects of process control.
• PMBOK primarily focuses on project management.
• CMM primarily focuses on software delivery, but can be used to assess maturity of process execution.
• ISO 20000 is a process to measure the effectiveness and points towards improvements for ITIL.
• ISO 17799 primarily deals with an overall security process, awareness, standards and measures of control
• COBIT focuses on process control as well as strategic control in an enterprise
  • Strongly focused on control and less on execution.
    • Helps optimize IT-enabled investments,
    • Ensures service delivery
    • Provides a measure against which to judge when things do go wrong.
• Six Sigma methodology is the implementation of a measurement-based strategy that focuses on process improvement and variation reduction through the application of Six Sigma improvement

 IT Framework Relationships

 

Technorati

What is ITIL?

The IT Infrastructure Library (ITIL) is a series of eight books and is referred to as the only consistent and comprehensive best practice for IT service management to deliver high-quality IT services. Although produced and published by a single governmental body, ITIL is not a standard and is generally referred to as a framework.  There is a lot of work involved in tailoring an implementation to any organization. The published books (subject to change my mid-2007) are:

• Software Asset Management
• Service Support
• Service Delivery
• Planning to Implement Service Management
• ICT Infrastructure Management
• Application Management
• Security Management
• Business Perspective, Volume II

There are two main operational components or logical groupings within ITIL, with Security Management completing the underpinning for both groups are:

• Service Support (activities that are more or less performed daily)
• Service Delivery (activities that tend to take place monthly or quarterly, but at a minimum annually)

ITIL Process Overview

 

BUSINESS DRIVERS FOR IMPLEMENTING

ITIL is usually implemented subject to one or more of the following business cases:

• Defining of service processes within the IT organization
• Defining and improving the quality of services
• Need to focus on the customer of the IT
• Implementation of a central help desk function

There are several methods in approaching an implementation of ITIL and having done several operations assessments, I can attest that the two main building blocks that have to be solid are Configuration Management and Change Management.  Both gear their activities off a Configuration Management Data Base (CMDB).  If the CMDB does not exist or if Change Management is a haphazard process, then the other processes within ITIL tend to fail on a regular basis.  Recently more and more vendors are creating products geared specifically towards CMDB (e.g., HP, CA, BMC, etc.) that address a method to collect all of the configuration specifics of your environment.  If you don’t know what you have, it will be problematic when implementing any change, but you can never been certain of the effect of the change.Two principal concepts characterize the basic thinking of ITIL:

• Service management—IT service managers:
  • Assure the consideration of requirements for operations and maintenance
  • Develop test plans
  • Identify the effects on existing infrastructure caused by new or modified systems
  • Define future requirements
• Customer orientation—IT services are to be provided at a level of quality that allows permanent reliance on them. To assure this quality, responsibility is assigned to individuals who:
  • Consult the users and help them use the services in an optimal approach
  • Collect and forward opinions and recommendations of users
  • Track complaints
  • Monitor the users’ appraisals of the services delivered
  • Support internal user groups

  Technorati